S4U2Proxy Extension, 167–68
defined, 167
illustrated, 168
S4U2Self combined operation, 172
security hole, 168
See also Kerberos
S4U2Self Extension, 170–72
defined, 170–71
operation, 171
S4UProxy combined operation, 172
SAFER policies, 395, 400
Samba, 272–74, 278–86
architecture, 279
defined, 272
features/functionality, 273
functions, 272–73
future, 274
Kerberos and, 278
NTLM authentication support, 278
Winbind, 295–96
Scalability
KDC provision, 141–42
PKI, 443
Scripting enrollment interface, 559
Secondary Logon Service (SLS), 120–22
Secure Attention Sequence (SAS), 106
Secure channels
defined, 93
in key hierarchy, 144
management tools, 95–98
security registry hacks, 96
services, fine-tuning, 95
setup control, 94
setup service, 94
setup time, 93
troubleshooting tools, 96–97
trusts and, 93–98
validating, 94–95
in Windows environment, 93
Secure MIME (S/MIME), 568, 569, 667–79
basics, 667–69
clear signing, 674–75
configuration in Exchange 2003, 671
content types/services, 669
defined, 667
dual-key-pair system, 670
Enhanced Security Services (ESS), 675–78
Exchange Server support, 669–70
functionality, 671
mail clients, 675
Microsoft mail client support, 670–74
opaque signing, 674–75
operation, 668
Outlook 2003 registry settings, 673
Outlook client features, 672
OWA, 672
OWA support setup, 673
security extensions, 668–69
signatures, 670
signed receipt tracking information, 677
Secure Sockets Layer (SSL), 209, 223
browser-side revocation check error, 233
cache, clearing, 229
certificate validation, 231
configuration from Directory Security tab, 228
configuring, 229
crypto accelerator devices, 234
downloading, 223
in firewall environment, 235–39
lock symbol, 224
Passport use, 242
in proxy environment, 235–39
security services, 223–24
setup, 225–29
tunneling, 235–36
in Web load balancing environment, 235
Web server certificate wizard, 225, 226
See also SSL bridging
SecurID plug-in, 210, 211
Security Accounts Manager (SAM), 30
Security administration infrastructures, 5, 13–17
directories, 13–14
integration, 13
provisioning systems, 14–17
See also Trusted security infrastructures (TSIs)
Security architecture, 3
Security Assertion Markup Language (SAML), 259, 317
Security authorities, 29–37
domain, 32–37
illustrated, 30
local (LSA), 29–32
security principals and, 39
trust relationships and, 70
Security Configuration Editor and Analysis tool (SCE/SCA), 695
switches, 700
uses, 700
Security Configuration Wizard (SCW), 701–2
availability, 702
defined, 701
illustrated, 701
Security Descriptor Definition Language (SDDL), 363
Security identifiers (SIDs), 38, 43–46
defined, 43
generation, 44
GUIDs vs., 44
history, 358–59
predefined layouts, 45
structure, 45
top-level authorities, 46
uniqueness, 43
well-known, 46, 47–48
See also SID filtering
Security management, 687–720
auditing, 712–20
infrastructures, 4–5
patch, 704–12
policy, 687–704
Security Patch Bulletin Catalog, 704
Security patch management, 704–12
MBSA, 705–6
Qchain, 711
Software Update Services (SUS), 708–11
third-party tools, 712
Windows Update service, 706–8
Security policies, 402–3
CAS types, 403
default evaluation process, 411
distributing, 408
enforcement, 412–15
evaluation, 402, 409–12
evaluation order, 409
life cycle, 687, 688–89
management, 406–8
See also Code Access Security (CAS)
Security policy management, 687–704
GPOs, 689–700
Group Policy, 689–90
Microsoft Baseline Security Analyzer (MBSA), 702–3
overview, 703–4
policy life cycle, 687, 688–89
Security Configuration Editor, 700–701
Security Configuration Wizard (SCW), 701–2
third-party tools, 703
Security principals, 37–68
account lookouts, 60–67
AD replication mechanisms, 67–68
defined, 37
identifiers, 40–46
iNetOrgPerson, 39
password credentials, 46–60
security authority and, 39
SIDs, 38, 43–46
uses, 37
verifying, 38–39
See also Security identities (SIDs)
Security reference monitors (SRMs), 10, 329
in ACL evaluation process, 354–55
checking access tokens, 330
decisions, 330, 331
Security-related auditing, 712–20
Security Support Provider Interface (SSPI), 108, 266
as API, 109
negotiate, role, 110
PAM vs., 266
workbench, using, 111
Security Support Providers (SSPs), 108
defined, 109
multiple, 110
Security Templates MMC snap-in, 698
Selective authentication, 88–90
defined, 88
enabling, 89
See also Forest trusts
SelfRA, 553–54
SelfSSL, 227
Server for NIS, 276–78
architecture, 277
defined, 276
one-directional password synchronization, 277
Windows DC, 276
Server Message Block (SMB), 113
Server-side credential caching, 312–13
authentication, 312
products, 313
security, 313
SSO architecture, 312
Service principle names (SPNs), 42–43
defined, 42
parts, 42–43
role, in single domain environment logon, 155
Services for UNIX (SFU), 275
Password Synchronization, 282–85
server for NIS, 276–78
User Name Mapping Service, 279–81
Session keys
defined, 144
distribution, 145–46
for sealing messages, 151
for signing messages, 151
See also Kerberos; master keys
Setprfdc.exe, 97, 98
Setspn, 200
Shortcut trusts, 159–60
SID filtering, 90–91
defined, 90
enabling, 91
illustrated, 91
protection, 90
See also Forest trusts
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), 293
Simple Authentication and Security Layer (SASL), 293
Simple Network Time Protocol (SNTP), 114
Single domain logon, 152–55
disabling Kerberos and, 154–55
illustrated, 153
local process, 152–53
network process, 153–54
SPNs role, 155
See also Kerberos
Single sign-on (SSO), 2, 299–327
authentication-related, 299
credentials, 300
extending, 314–18
extranet, 8
IAS, 325
with multiple authentication authorities, 304
with multiple authentication servers, 303
Passport, 255
pros/cons, 299–300
scope, 302
with single authentication authority, 301, 303
with single authentication server, 301
with single set of credentials, 304–8
user requirement, 275
Windows Server 2003/XP technologies, 319–26
See also SSO architectures
Smartcard Enrollment Control (SEC), 563
Smart card logon process, 186–90
illustrated, 190
steps, 189–90
trust model, 189
Smart cards
certificate enrollment station interface, 682
credentials, enrolling, 681–83
identification advantages, 683–84
leveraging, 679–85
logon, 683–85
logon interface, 684
management software, 685
management systems, 685
PIN codes and, 680
support, 680–81
vendors, 680
SMS SUS Feature Pack, 710–11
SMTP security, 678–79
Software-based storage, 481
Software restriction policies (SRPs), 393, 394–400
CAS comparison, 415–16
defined, 394
designated file-type properties, setting, 398
distributing, 395–96
enforcing, 395–96
event logging, 400
fine-tuning, 396–98
“lower-quality,” 398
managing, 395–96
rules, 398–400
sample rule scenario, 400
sol.exe-related, 399
See also Malicious mobile code (MMC) protection
Software Update Services (SUS), 704
administration interface, 710
client registry keys, 710
defined, 708
MBSA integration with, 705
server, 709
SMS Feature Pack, 710–11
software download, 709
SSL bridging, 236–39
defined, 236
illustrated, 237, 238
setup, 237–38
setup in MS ISA server environment, 238
setup with OWA Publishing Wizard, 239
See also Secure Sockets Layer (SSL)
SSO architectures, 301–14
complex, 303–14
credential synchronization, 309–10
different, advantages/disadvantages, 315
with multiple credentials, 308–14
PKI-based, 307–8
secure client-side credential caching, 310–11
secure server-side credential caching, 312–14
simple, 301–3
summary, 314
token-based, 305–6
Strong private key protection, 490–91
Symmetric cryptography, 140
System ACLs (SACLs), 333